ssh-pageant

ssh-pageant

[Chris Rodgers]

Hi,

I find the ssh-pageant package helpful to enable cygwin ssh to interact 
seamlessly with PuTTY's Pageant SSH agent. One small issue is that after 
installing, one has to add the lines:

> |# ssh-pageant eval $(/usr/bin/ssh-pageant -r -a 
> "/tmp/.ssh-pageant-$USERNAME")|
(see https://github.com/cuviper/ssh-pageant) 
<https://github.com/cuviper/ssh-pageant>to .bashrc for each user.

Would it be acceptable to update the ssh-pageant package to add a file 
/etc/profile.d/ssh-pageant.sh that does this automatically?

Or is there another preferred way to do this, e.g. a postinstall script?

I'd be happy to draft a script file for review.

Thanks,

Chris.

Re: ssh-pageant

[Thomas Wolff]

Am 23.04.2020 um 15:50 schrieb Chris Rodgers:
> Hi,
>
> I find the ssh-pageant package helpful to enable cygwin ssh to 
> interact seamlessly with PuTTY's Pageant SSH agent. One small issue is 
> that after installing, one has to add the lines:
>
>> |# ssh-pageant eval $(/usr/bin/ssh-pageant -r -a 
>> "/tmp/.ssh-pageant-$USERNAME")|
> (see https://github.com/cuviper/ssh-pageant) 
> <https://github.com/cuviper/ssh-pageant>to .bashrc for each user.
>
> Would it be acceptable to update the ssh-pageant package to add a file 
> /etc/profile.d/ssh-pageant.sh that does this automatically?
Does what? Add something to other users' profiles? Sounds like MS-style 
patronizing of user preferences. Certainly not appreciated by most 
people. Also, why should most cygwin users want to use ssh via putty? 
Mintty + ssh is a seamless modular solution.

>
> Or is there another preferred way to do this, e.g. a postinstall script?
>
> I'd be happy to draft a script file for review.
>
> Thanks,
>
> Chris.
>
> -- 
> Problem reports:      https://cygwin.com/problems.html
> FAQ:                  https://cygwin.com/faq/
> Documentation:        https://cygwin.com/docs.html
> Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

Re: ssh-pageant

[Chris Rodgers]

Thomas Wolff wrote:

> >/Would it be acceptable to update the ssh-pageant package to add a file />//etc/profile.d/ssh-pageant.sh that does this automatically? /Does what? Add something to other users' profiles? Sounds like MS-style
> patronizing of user preferences. Certainly not appreciated by most
> people. Also, why should most cygwin users want to use ssh via putty?
> Mintty + ssh is a seamless modular solution.
>
> >

The sole purpose of installing ssh-pageant is to use pageant as an SSH 
key agent for openssh. It's not a base package. So the users who install 
ssh-pageant on their machines presumably want pageant to be their ssh 
key agent for openssh. So I am proposing that this should work 
immediately after the package is installed, without requiring editing 
the .bash_profile file.

Adding a file to /etc/profile.d/ssh-pageant.sh seems like it would be a 
simple way to achieve this.

I guess there is an issue for multi-user machines where different users 
want to use different SSH agents wherein the default ssh agent would be 
set for all users on installing ssh-pageant package. It can still 
trivially be overridden by a .bash_profile configuration of an SSH key 
agent in the user profile scripts.

What do people think? My driver is that it would be nice to streamline 
the standard setup for folk in my lab.

The other thought I had was to add a postinstall script, like some 
fedora or ubtuntu packages have. Are these allowed to prompt the user 
interactively whether they wish to configure the profile setting?

BW

Chris.

Re: ssh-pageant

[Chris Rodgers]

On 23/04/2020 17:40, Chris Rodgers wrote:
>
> Thomas Wolff wrote:
>
>> >/Would it be acceptable to update the ssh-pageant package to add a file />//etc/profile.d/ssh-pageant.sh that does this automatically? /Does what? Add something to other users' profiles?

P.S. I realise I may have been unclear. By "does this" I mean running

> |eval $(/usr/bin/ssh-pageant -r -a "/tmp/.ssh-pageant-$USERNAME")|
when ssh-pageant package is installed on the system, as a line in 
/etc/profile.d/ssh-pageant.sh file included with the package. There 
would then not be any changes to the per-user .bash_profile or .bashrc 
files.

BW

Chris.

Re: ssh-pageant

[Andrey Repin]

Greetings, Thomas Wolff!

> Am 23.04.2020 um 15:50 schrieb Chris Rodgers:
>> Hi,
>>
>> I find the ssh-pageant package helpful to enable cygwin ssh to 
>> interact seamlessly with PuTTY's Pageant SSH agent. One small issue is 
>> that after installing, one has to add the lines:
>>
>>> |# ssh-pageant eval $(/usr/bin/ssh-pageant -r -a 
>>> "/tmp/.ssh-pageant-$USERNAME")|
>> (see https://github.com/cuviper/ssh-pageant) 
>> <https://github.com/cuviper/ssh-pageant>to .bashrc for each user.
>>
>> Would it be acceptable to update the ssh-pageant package to add a file 
>> /etc/profile.d/ssh-pageant.sh that does this automatically?
> Does what? Add something to other users' profiles? Sounds like MS-style 
> patronizing of user preferences. Certainly not appreciated by most 
> people. Also, why should most cygwin users want to use ssh via putty? 
> Mintty + ssh is a seamless modular solution.

Who said anything about putty? We're speaking about pageant - the key keeper.
Which has a better support in Windows apps than Cygwin's ssh-agent.

While I agree with your judgement, I don't get your patronizing.


-- 
With best regards,
Andrey Repin
Thursday, April 23, 2020 21:29:02

Sorry for my terrible english...

Re: ssh-pageant

[Brian Inglis]

On 2020-04-23 07:50, Chris Rodgers wrote:
> I find the ssh-pageant package helpful to enable cygwin ssh to interact
> seamlessly with PuTTY's Pageant SSH agent. One small issue is that after
> installing, one has to add the lines:
>	# ssh-pageant
>	eval $(/usr/bin/ssh-pageant -r -a "/tmp/.ssh-pageant-$USERNAME")
> (see https://github.com/cuviper/ssh-pageant)
> to .bashrc for each user.
> Would it be acceptable to update the ssh-pageant package to add a file
> /etc/profile.d/ssh-pageant.sh that does this automatically?
> Or is there another preferred way to do this, e.g. a postinstall script?
> I'd be happy to draft a script file for review.

For the general case, you may want to suggest that the maintainer include
instructions about this in each upgrade notice, but nothing should be done in
the package as it assumes too much about users' environments.

For example: what if their default shell/s is/are not bash, or they don't
already have a .bashrc, and shouldn't you do that setup in whatever their shell
profile is, if they have one, and what if they don't; what if Pageant or Cygwin
don't use Cygwin /tmp/ but some other TMPDIR e.g. Windows ~/AppData/Local/Temp/;
what if your users run ssh from cmd without starting Cygwin; etc.?

You may do what your users allow you on their systems, but you have to ensure
that your Putty/Pageant and ssh setup additions work flawlessly on all of them,
coordinating between what you do for Pageant and what you do for ssh.

You may want to consider doing whatever is required in each user's ssh_config if
possible, or /etc/ssh_config to provide users defaults, as those depend least on
each user's environment.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

Re: ssh-pageant

[Thomas Wolff]

Am 23.04.2020 um 20:31 schrieb Andrey Repin:
> Greetings, Thomas Wolff!
>
>> Am 23.04.2020 um 15:50 schrieb Chris Rodgers:
>>> Hi,
>>>
>>> I find the ssh-pageant package helpful to enable cygwin ssh to
>>> interact seamlessly with PuTTY's Pageant SSH agent. One small issue is
>>> that after installing, one has to add the lines:
>>>
>>>> |# ssh-pageant eval $(/usr/bin/ssh-pageant -r -a
>>>> "/tmp/.ssh-pageant-$USERNAME")|
>>> (see https://github.com/cuviper/ssh-pageant)
>>> <https://github.com/cuviper/ssh-pageant>to .bashrc for each user.
>>>
>>> Would it be acceptable to update the ssh-pageant package to add a file
>>> /etc/profile.d/ssh-pageant.sh that does this automatically?
>> Does what? Add something to other users' profiles? Sounds like MS-style
>> patronizing of user preferences. Certainly not appreciated by most
>> people. Also, why should most cygwin users want to use ssh via putty?
>> Mintty + ssh is a seamless modular solution.
> Who said anything about putty?
The Cygwin package manager (setup) in the description of the ssh-pageant 
package:
"SSH agent for Cygwin/MSYS that links to PuTTY's Pageant"
>   We're speaking about pageant - the key keeper.
> Which has a better support in Windows apps than Cygwin's ssh-agent.
>
> While I agree with your judgement, I don't get your patronizing.
>
>

Re: ssh-pageant

[Chris Rodgers]

So.. one more thing to consider. I just had a look in the cygwin package 
search for packages shipping files in /etc/profile.d/

It turns out that one example already shipping in Cygwin is 
http://www.cygwin.com/packages/x86_64/gnome-ssh-askpass/gnome-ssh-askpass-7.4-1

>
>   gnome-ssh-askpass: GTK+ passphrase grabber for ssh-add
>
>      2017-03-17 00:34           0 etc/
>      2017-03-17 00:34           0 etc/profile.d/
>      2017-03-17 00:34          97 etc/profile.d/gnome-ssh-askpass.csh
>      2017-03-17 00:34          52 etc/profile.d/gnome-ssh-askpass.fish
>      2017-03-17 00:34          52 etc/profile.d/gnome-ssh-askpass.sh
>      2017-03-17 00:34           0 usr/
>      2017-03-17 00:34           0 usr/lib/
>      2017-03-17 00:34           0 usr/libexec/
>      2017-03-17 00:34       14867 usr/libexec/gnome-ssh-askpass.exe
>      2017-03-17 00:34           0 usr/share/
>      2017-03-17 00:34           0 usr/share/doc/
>      2017-03-17 00:34           0 usr/share/doc/gnome-ssh-askpass/
>      2017-03-17 00:34        1253 usr/share/doc/gnome-ssh-askpass/COPYING
>      2017-03-17 00:34         531 usr/share/doc/gnome-ssh-askpass/README
There, 3 shell scripts are provided to cover users of several shells. I 
could do that.

And the contents are:

> $ cat gnome-ssh-askpass.sh
> export SSH_ASKPASS="/usr/libexec/gnome-ssh-askpass"
>
> $ cat gnome-ssh-askpass.csh
> if ( ! $?SSH_ASKPASS ) setenv SSH_ASKPASS ""
> setenv SSH_ASKPASS "/usr/libexec/gnome-ssh-askpass"
>
> $ cat gnome-ssh-askpass.fish
> set -x SSH_ASKPASS "/usr/libexec/gnome-ssh-askpass"

Is there any mileage in the argument that if we do this for Gnome's SSH 
helper, we can also reasonably do it for ssh-pageant?

I'll leave this for now and see whether anyone else has an opinion.

Best wishes,

Chris.

Re: ssh-pageant

[Andrey Repin]

Greetings, Chris Rodgers!

> I find the ssh-pageant package helpful to enable cygwin ssh to interact
> seamlessly with PuTTY's Pageant SSH agent. One small issue is that after 
> installing, one has to add the lines:

>> |# ssh-pageant eval $(/usr/bin/ssh-pageant -r -a 
>> "/tmp/.ssh-pageant-$USERNAME")|
> (see https://github.com/cuviper/ssh-pageant) 
> <https://github.com/cuviper/ssh-pageant>to .bashrc for each user.

> Would it be acceptable to update the ssh-pageant package to add a file 
> /etc/profile.d/ssh-pageant.sh that does this automatically?

It's not that simple. You can't blindly restart agent every time you wish
without notifying other programs, `--reuse` is a very bad idea and there's
no easy way to set/change an environment variable globally for an entire
user session.

> Or is there another preferred way to do this, e.g. a postinstall script?

> I'd be happy to draft a script file for review.

Just create a script for yourself and amend your own .bashrc accordingly.

I do it this way:

1. Add

----- 8< ----- 8< ----- 8< ----- 8< -----
# Import ssh-pageant settings
test -f "$HOME/.ssh/agent" && . "$HOME/.ssh/agent"
----- >8 ----- >8 ----- >8 ----- >8 -----

near the end of .bashrc

2. Create a script `$HOME/profile.d/ssh-pageant.sh`

----- 8< ----- 8< ----- 8< ----- 8< -----
#!/bin/sh

[ -x /usr/bin/ssh-pageant ] || return

_agent="$HOME/.ssh/agent"
eval set -- $( getopt --shell=sh -o 'k' -- "$@" )

test -f "$_agent" && . "$_agent"

if [ "$SSH_PAGEANT_PID" ]; then
  if test "$1" = "-k"; then
    /usr/bin/ssh-pageant -qk 2> /dev/null
  fi

  if ! kill -0 "$SSH_PAGEANT_PID" 2> /dev/null; then
    # Reap dead agent's socket
    rm "$SSH_AUTH_SOCK" "$_agent" 2> /dev/null
    unset SSH_AUTH_SOCK SSH_PAGEANT_PID
  fi
fi

test "$1" = "-k" && exit
test "$SSH_PAGEANT_PID" && exit

socket="$( mktemp -u /var/run/ssh-XXXXXXXX )"
eval $( cygdrop -- /usr/bin/ssh-pageant -qsa "$socket" | tee "$_agent" )

# Remove empty settings file (agent failed to start).
test -s "$_agent" || rm "$_agent"
----- >8 ----- >8 ----- >8 ----- >8 -----

3. Create login job to run scripts from ~/profile.d/ on user login.

4. If you need agent settings in a different script, that may be run outside
normal terminal/shell workflow, just add

----- 8< ----- 8< ----- 8< ----- 8< -----
test -f "$HOME/.ssh/agent" && . "$HOME/.ssh/agent"
----- >8 ----- >8 ----- >8 ----- >8 -----

near the top.

5. Don't forget to `ssh-pageant.sh -k` before running Cygwin setup.


-- 
With best regards,
Andrey Repin
Thursday, April 23, 2020 21:28:24

Sorry for my terrible english...

Re: ssh-pageant

[Chris Rodgers]

Dear Andrew,

Thanks for the detailed reply. Interesting!

> It's not that simple. You can't blindly restart agent every time you wish
> without notifying other programs, `--reuse` is a very bad idea and there's
> no easy way to set/change an environment variable globally for an entire
> user session.

May I ask, why do you say "--reuse" is a very bad idea? I'd be 
interested to know in general, not just when considering this change.

Best wishes,

Chris.

Re: ssh-pageant

[Bill Stewart]

On Thu, Apr 23, 2020 at 1:00 PM Thomas Wolff wrote:

> The Cygwin package manager (setup) in the description of the ssh-pageant
> package:
> "SSH agent for Cygwin/MSYS that links to PuTTY's Pageant"

The language is a bit imprecise, I suppose. Pageant is related to but
!= PuTTY - you don't have to use PuTTY to use Pageant (you may just
prefer to use Pageant instead of ssh-agent or whatever and not use
PuTTY).

Bill

Re: ssh-pageant

[Andrey Repin]

Greetings, Chris Rodgers!

> Thanks for the detailed reply. Interesting!

>> It's not that simple. You can't blindly restart agent every time you wish
>> without notifying other programs, `--reuse` is a very bad idea and there's
>> no easy way to set/change an environment variable globally for an entire
>> user session.

> May I ask, why do you say "--reuse" is a very bad idea? I'd be 
> interested to know in general, not just when considering this change.

With --reuse you're using predictable name, and not checking its permissions.
You can never know if that socket was actually created by you or left there by
accident. If you noticed, I trash both socket and agent configuration before
activating the agent anew. That gives me a little more control on what's going
on in the system.


-- 
With best regards,
Andrey Repin
Thursday, April 23, 2020 23:46:25

Sorry for my terrible english...